Configuration Manager and OSD with a side of PowerShell

Menu

Automating Dell BIOS-UEFI Standards for Windows 10

If you are starting to deploy Windows 10 (or are currently deploying Windows 8/8.1), then now is the time to make the switch to UEFI. A system needs to be configured for UEFI (without Compatibility Support Module being enabled) in order to take advantage of Secure Boot (and other Windows 10 security features like Device Guard). Secure Boot prevents loading of drivers and OS loaders that are not signed with a certified digital signature, thus preventing malware and root kits that alter the boot process.

The first version of Windows that support Secure Boot was Windows 8 and Windows Server 2012. If you were one of the many companies that either skipped Windows 8/8.1 or only deployed it in limited quantities, then chances are you deployed your systems for legacy BIOS mode. This means that your Windows 7 systems have MBR partitioned disks and in order to make the switch to UEFI, these systems need to be re-partitioned. This is one of the limitations of using the Windows 10 In-place upgrade method, as it does not support changing the disk partitioning structure. The quickest approach to getting to Windows 10 is the In-place upgrade path and it might make sense to do this on the systems that qualify. For the ones that don’t (including brand new systems), then you definitely want to start configuring them for UEFI and Secure Boot now!

In my previous post, How to create a Dell Command-Configure Package in ConfigMgr, I showed how you could set up the Dell Command-Configure Package in order to use it in OSD Task Sequences. Now, I am going to show you an example on how it can be used in WinPE via PXE boot (of course, I use 1E PXE Everywhere 3.0 which is part of Nomad 6.0) to enforce these standards. This will not only increase standardization in your environment, but also prevent costly mistakes made by manual processes.

The first thing we need to do is create a custom Task Sequence. For this example, I am going to give it the name of BIOS-UEFI Configuration for Windows 10.

NOTE: This Task Sequence example will only work on systems that already have a formatted disk. We will cover handling bare disks at another time.

Once created, edit the Task Sequence. For those of you using Nomad, create the Set Nomad as Download Program (new in Nomad 6.0) and Install and Configure Nomad in Windows PE as the first two steps. Otherwise, add an Apply Operating System Image step called Dummy Step to trick CM and put a Task Sequence variable condition on the step so that the TS variable NEVERTRUE equals TRUE.

This is very important for two reasons – 1. it will make CM set this as an OSD TS so that we can boot into WinPE and run it, 2. the condition will always evaluate to false and allow the step to be skipped (cause we really do not want to apply an OS image yet).

Next, add a Group called Dell BIOS-UEFI Configuration and put a WMI condition on the group with the following query:

Select * From Win32_ComputerSystem WHERE Manufacturer LIKE "%DELL%"

This way it will only apply to Dell systems if you use other OEMs in your environment and it will make it easier to copy and paste into other Task Sequences.

Each of the following steps in this group will be Run Command Line steps that reference the Package Dell Command-Configure-WinPE 3.1.0.250. I have split out each of the steps in order to make the solution modular. In other words, not all settings may apply to all Dell models and conditions can be set on the individual steps accordingly. So, be sure to test against all models that you support. Another reason for splitting out the steps is that you will get output from each of the commands. I have included steps that will attempt to get the current setting prior to the step that actually sets the value. Some of the output can be read from the status messages that are sent back to ConfigMgr, while others will only be reflected in the smsts.log. For the steps that get the current values, I have made those ‘continue on error’ in order to prevent the Task Sequence from failing from non-zero return values. Getting the Secure Boot value is one that returns a non-zero exit code (along with the text “The option ‘secureboot’ is not enabled”, if it is not enabled) and will cause the Task Sequence to fail at that point. In other words, we do not care if it fails reading a value, but we do care if it fails setting a value.

Also, these settings are ones that I would set, so please research each one using the Dell Command-Configure documentation and set the values that work for your environment.

Here is a list of the settings:NOTE: each of the commands use a double dash, which is hard to see from the screen shots.

Outside of the Dell BIOS-UEFI Configuration Group, I put a Run Command Line step called Pause with the condition that the Task Sequence variable PAUSE equals TRUE. This is useful for testing and/or troubleshooting as it will launch a command line and prevent the Task Sequence from finishing. Simply put the PAUSE variable on either the collection targeted or a device that is being tested.

The last step is a Set Task Sequence Variable step called Restart WinPE. This sets the Task Sequence variable SMSTSPostAction to the value wpeutil reboot. This allows the Task Sequence to finish cleanly.

Hopefully you have found this information useful and it gets you well on your way for standardizing your environment’s BIOS-UEFI settings. By making the change to UEFI, it will allow you to take full advantage of the security features in Windows 10. Now when you boot into WinPE and run the OSD Task Sequence wizard, it will detect that the system is running UEFI (_SMSTSBootUEFI = TRUE) and the disk will be partitioned and formatted accordingly.

Great post. Just wanted to note on some BIOS versions I have seen the command cctk.cmd –secureboot failing with error 257. Just disabling this step works fine. Also I wanted to ask how can you set the UEFI boot order with this TS ?

Thanks Mihai! I would recommend updating the BIOS to the latest version and then try running the TS with Secure Boot step enabled (or test running it manually). Often times there are a ton of UEFI fixes in the recent BIOS/UEFI versions. In fact this was happening on a ThinkCentre and as soon as they flashed it to the latest version, it worked fine. As for the UEFI boot order, you can use this command: cctk bootorder –bootlisttype=uefi to get and set the UEFI boot order.

Thanks a lot for sharing this. Does anyone already have tried the following?

Working on a migration project from W7 to W10.

I would like also to include the BIOS update in the same task sequence. For this, Dell Command Update can be helpful.
DCU will be installed on the existing Windows 7 OS and will update the Bios to the latest Version. Then the task sequence will restart the computer several times and finally continue with your task sequence steps.(See below the details)

1. First I would like to install silently Dell Command Update on W7:
Man_Application_xxxxx_WN_y.y.y_A00.exe /s (see user guide) (msi +-80MB)

Hi Asebbahi, Thanks for your response. I agree that the BIOS/UEFI version should be upgraded prior to going to Windows 10. Right now, Dell can only do BIOS upgrades in a full OS or WinPE x86 (they are working on a WinPE x64 solution). Instead of using DCU, I prefer the total control method and creating BIOS packages for the models in your environment that you plan on supporting Windows 10. This way you can define a standard baseline for your environment (plus it doesn’t require an internet connection). Also, don’t forget to suspend BitLocker if running it.
Thanks,
Mike

Hi Mike, we are migrating from Win7 x86 with legacy bios to Win10 x64 with UEFI. All of our machines are Dell models.

I have a task sequence based on your article above which upgrades a Win7 machines BIOS to the latest version and then converts it to UEFI (Uefi networking enabled) using cctk and forces a pxe boot at next start-up and then restarts. The machines should then pick up the assigned Win10 task sequence and carry on the build.

While this sequence works and the machine performs a UEFI pxe boot, the Dell machines (9030 AIO etc.) wont connect to the SCCM pxe distribution point – I see nothing in smspxe.log and performing a network trace, the machines don’t issue any dhcp traffic.

If I swap the machine back to legacy BIOS and perform a pxe boot, the machines successfully pxe boot. If I then switch the machine to UEFI it then pxe boots successfully.

Hence we cant automate the process of converting the machines to UEFI and building them as Win10 due to this initial UEFI pxe failing (powering off/on makes no difference)

One possibility is to disable the legacy PXE boot. Unfortunately I don’t have one of those models to test with but maybe I can check with some of my contacts. On a side note, we (1E.com) have developed technology that makes zero touch BIOS to UEFI possible in a single Task Sequence without a PXE boot. We have not announced it yet, but will be in two weeks at the Midwest Management Summit (mmsmoa.com).

Thanks Mike that would be appreciated. I’m retesting some other Optiplex models but it definitely occurs on 9030 AIO. I’ve tried with legacy roms enabled and disabled but it makes no difference. I’ll keep an eye out for the new 1E tech.

The other thing that I can think of is to try and change the device boot order and remove everything except UEFI PXE. Then change it back after the reboot (this is what you have to do for the other vendors when doing the two task sequence approach with a pxe boot in between). A command like this might point you in the right direction: Cctk bootorder –bootlisttype=uefi –sequence=uefi.1 –enabledevice=uefi.1 –disabledevice=hdd

No matter how I try I can’t get the forcepxeonnextboot to work. I’ve tried with Dell OptiPlex 3020 and Latitude 5450 both with the lastest BIOS version. According to the log file the value –forcepxeonnextboot=enable is set succesfully. But when I reboot the computer it just boots up to Windows. IT doesn’t even try to perform a network/PXE boot.

I have seen the order of the settings make a difference. So, for example, you want to make the switch from Legacy to UEFI first, disable Legacy Option ROMs, enable UEFI PXE and then force PXE on next reboot. If you are flipping the settings in the order, then maybe try to actually change the device boot order by only having PXE in the list. This means you will need to switch it back to hdd after the first PXE boot so that it will boot off the hard drive first on subsequent reboots. In addition, possibly log a support case with Dell.
-Mike

Hi Mike, do you have any details around 1E’s technology for converting BIOS to UEFI in a single task sequence? Is this standalone software of do you have to buy a suite etc? The 9030 AIO uefi pxe issue I have is apparently fixed inan upcoming bios release. However my testing of UEFI pxe seems to be pretty flakey in general so far.

Hi Carl, we announced our 1E OSD Solution Accelerator last Monday at the Midwest Management Summit. We are planning for a Q3 release and it will include a couple of Task Sequence custom actions – one the does the OEM settings and the other one that enables the process to be done in a single Task Sequence. The OEM step can be seen here: https://twitter.com/BMooreatDell/status/732308450638766080/photo/1 . We (1E) do have a Windows 10 suite bundle that includes Shopping, AppClarity and Nomad (which includes PXE Everywhere). This suite enables app-mapping, peer based user state backup, P2P content transfer, P2P PXE booting and enables users to shop for OS upgrades. It will also include the OSD Solution Accelerator as well once it is released. We received a lot of interest and feedback this week at the conference and are using that information to determine if we also want to make it available as a standalone product. Keep an eye on http://www.1e.com for new information and follow us on twitter (@miketerrill and @1E_Global) for the latest.
Thanks,
Mike

Thanks Mike, I think a standalone product would attract a lot of interest. It would make the transition to UEFI far simpler and I’d imagine much more reliable than the UEFI pxe boot option. I’ll keep an eye out for updates. Thanks once again.

Thank you Mike, very much appreciated. The Task sequence didn’t get exported with all its dependencies. would it be possible to do another export with dependencies (packages included), It will make my life a lot easier so I don’t have to re-invent the wheel.

We use Symantec Endpoint Encryption and McAfee, depending on the environment – It’s not a consistent error, but we’ll occasionally see 0x80070032 right when starting the task sequence (from PXE). The diskpart clean resolves the issue, so we ask the techs to do that manually prior to starting an image.

Hi Mike – can you comment about handling bare disks? Due to various encryption software, we always dispart/clean our disks prior to reimaging. I tried adding a basic format disk step, but no joy – it dies on the first HAPI driver install.

Hi David,
I have format steps at the start, since CM requires a disk to write to during the TS. If it boots BIOS, then it needs to be formatted accordingly and same goes for UEFI. What is in the smsts.log for the step that fails?
-Mike

Hi Mike – I’m using a standard Format and Partition Disk step just before the HAPI driver step. Standard MBR, NTFS quick, checked the option to make it the boot disk. SMSTS shows: The step (Install Dell HAPI Drivers) must be running in full OS and Failed to run the action: Install Dell HAPI Drivers. The request is not supported. (Error: 80070032; Source: Windows). I’m also seeing this error in the log – Failed to save environment to (80070057). Failed to save the current environment block. This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance.
The parameter is incorrect. (Error: 80070057; Source: Windows)

I would check to see that the disk is partitioned and formatted correctly. I ran into a similar TS error one time and it turned out the disk was not setup correctly. If this is the case, then the TS Engine is going to have a difficult time writing to the disk (which is needed for the package). Search the smsts.log for “unsupported file system” and see if you get any hits.

If that is not it, then also be sure that you are running the correct platform architecture (x86 or x64) of the HAPI driver install.

Hello Mike. Have got the task sequence for any new machine working exactly how we want. However we are struggling with the TPM and enabling bitlocker on a machine that has come back in for a reimage. As technically the device is already configured with everything but have to disable and clear the TPM chip but as the machine is already in UEFI the cctk does not download in winpe

Hi, it depends on how your step is configured. In order to run under WinPE, you need to have a few things – it should be a Run Command Line step that references the CCTK package. Also, double check to make sure you don’t have any conditions on the step (or groups that contain the step) that would prevent it from running.
-Mike

very awesome post post thanks for sharing!
any chance you know where I could find which commands works for wich models? for ex. “disable legacy ROM” won’t work on a latitude e5420 (latest bios revision) and will kill the task sequence (except if I tick “continue on error” of course) and I would really hate having to test each one of our model…
Thanks!

Hello Mike – Thanks for the great post. I’ve experimented with this with winPE bootable usb media, and was wondering if Dell Command | Configure has the ability to automatically change the boot mode settings on a machine (in the WinPE command line) to/from UEFI to Legacy. I didn’t see it in the list of arguments under the cctk menu and was wondering if I’m chasing a dead end.
Cheers,
David

Hi David,
The (sub)option that controls the boot mode (UEFI or Legacy) is –activebootlist. This is used with the option bootorder (no dashes in front of this one). So the command to set UEFI would be:
cctk.exe bootorder –activebootlist=uefi

Thanks! This is great info and is going to save me loads of time. Can CCTK.exe enable/disable computrace in the BIOS as well? How do you usually handle that (if at all) in an SCCM or WinPE environment?

You can definitely do this in WinPE for the baremetal scenario (if that is what you are asking). But keep in mind, once you switch to UEFI mode, the disk layout needs to be configured correctly in order to boot the system.

Hi Mike,
Apparently I’m late to the party, but am just beginning looking at automating Windows 10 OSD using SCCM (using MDT task sequence in SCCM), with a need to automate switching from BIOS to UEFI. This would initially be for imaging machines right out of the box, but we do want to possibly do in-place upgrades from Win7 [BIOS] to Win10 [UEFI].

I’m still trying to get a bearing around this in the big-picture, and I’m confused about Dell CCTK (now called Dell Command | Configure). I also have been looking at your brand new blog posts about MBR2GPT and 1E BIOS to UEFI. Does the latter supersede this older blog post about Dell Command | Configure? We exclusively use Dells, so I’m open to either method – whichever is easier and more robust. Thanks!

Hi Sam,
1E BIOS to UEFI is a utility that we created at 1E to abstract all of the various commands that need to be called (in the correct order) in order to change the settings required to move to UEFI. So in other words, it is the frontend and it uses vendor tools and methods to make the changes. At the present time it is available to 1E customers that own the Windows 10 Suite and Nomad only customers. Without this tool, you can create a package that contains the Dell Command Configure and use a script (or Run Command Line steps) to call the right commands.
-Mike

I am attempting to do a BIOS-to-UEFI conversion using only MDT 2013 8443. I do have Dell Command | Configure and copied the CCTK folders to multiple paths in my DeploymentShare, and following your posts, have worked on configuring this to do the conversion (excluding the ConfigMgr parts).

Now, I set everything up for what looks like to be correct, however it is giving me one of two errors which I have outlined below. I have placed the folders and files in both DeploymentShare$\Scripts(\Dell\Command-Configure-WinPE\) and DeploymentShare$\Extra Files\Deploy\(Dell\Command-Configure-WinPE\). I get the errors listed below associated with the Task Sequence.

I’ve tried multiple different variations but it always comes back to the same two results.

Now, after the OSD (Operating system deployment did not complete successfully) message and it opens Command Prompt, if I browse to X:\Deploy\, I Do see the folder structure I put in place. And if I run cmd /c “X:\Deploy\Dell\Command-Configure-WinPE\cctk.cmd bootorder –activebootlist” from the Command Prompt it opens, it will work.

Any idea on getting this to work through the task sequence? I want to convert BIOS-to-UEFI before the OS is installed, so I’m doing this during the Pre-Installation phase.

Make sure you are using the latest CCTK and the latest BIOS version on the system. There have been some issues with BIOS versions and CCTK versions but they should be all fixed in the latest releases. Also, with MDT only, you will need to use MBR2GPT. AFAIK, MDT does not have the same ConfigMgr TS engine that lets you use the TSUEFIDrive variable.

Thank you sir. I will attempt to update the BIOS to the latest, along with creating a task sequence piece to update the BIOS similar to other posts I’ve seen. I’ll see if this helps with it. It’s just weird that it works if I run the command from command prompt, but incorrect function otherwise.

The MBR2GPT, do you mean use that when converting the drive? It is a new install, so it will format the drive for GPT after it configures the BIOS.

MBR2GPT will convert the disk. If it is successful, then flip the firmware to UEFI (and Secure Boot). Recommendation is to run it from within WinPE 1703. I have some blogs coming on it, but just a bit behind at the moment.

Understood. As mentioned, it is a new install of W10 almost all the time, instead of an in-place upgrade. In essence, I am using what MDT automatically creates, which is if it detects UEFI, it will format the disk for GPT. If it doesn’t detect UEFI, it will format for MBR.

The issue I’m having is the actual conversion from BIOS to UEFI using CCTK, is all. Which I am working on your suggestion in updating BIOS. I am going to attempt to do it before it attempts the commands.

I fixed the issue with CCTK not working and got it to run now, except it doesn’t run the cctk.exe -uefinwstack=enable command as it says the system isn’t compatible. Though I didn’t get the BIOS update part working yet. Not sure what the nwstack is used for though.

Only thing I’m trying to figure out now is how to do the CCTK BIOS-to-UEFI conversion, and then reboot back into WinPE and resume the same task sequence to install everything appropriately. Kind of like what Sysprep does except WinPE to WinPE, not Windows to WinPE. Unfortunately even if I set it to convert to UEFI, hard-format the drive to GPT, and then install the OS all without restarting, it will always attempt to boot to PXE after reboot and not recognize the Windows Boot Partition for UEFI.

We’re looking to turn on and activate TPM, and enable BitLocker at the end of an SCCM win 10 image deployment. Can your scripts run during the post OS install phase? Can your cctk.cmd handle multiple arguments? For example:

I haven’t tested it, but you could try and run multiple in one step or create a bat file that does it. It will just make it a little more difficult to troubleshoot when something goes wrong unless you account for error handling. But keeping them on separate TS steps, you get return code/status for each step.

I am having a bit of issue with clearing the TPM after going from Win7 to Win10.
I have a PowerShell script which clears the TPM but get a prompt to press F12, this is not good for a zero touch build.
The issue is when going in to TPM Administration after the build has completed i get 0x900 errors, BitLocker is on and working.